Hi Megunticook and welcome to WebmasterWorld [webmasterworld.com]

Security is an ongoing endeavor. There's really no one or two things that accomplishes total security.

Here are a few related discussions:

Search Engine Spider & User Agent ID Forum [webmasterworld.com]

Server Farm IP Ranges [webmasterworld.com]

Blocking Methods [webmasterworld.com]

Amazon IP ranges [webmasterworld.com]

- - -

I rely on my access logs to tell me what it is that unwanted visitors are asking for or seeking. IP blocking can be useful but blocking a single IP should be the last ditch effort, it is the least effective way to handle them. It doesn't really help for me to explain what I'm doing because we all have our favorite tools to handle different tasks. Different sites have different priorities and patterns of traffic.

Basically I'd suggest that you become familiar with your access logs, learn to spot unwelcome visitors and sort them into your most important to deal with categories. It may take time to get started with, but there just is no "paste this and you're good" response for all the exploits, UAs, and bad behavior that you'll find in your logs. Once you know what you want to prevent you can set up the most effective defenses. When you know what you want to exclude there are people ready to help you work it out.

For a "quick fix" while you explore the above suggestions..put your site behind a cloudflare ( or similar ) system.

Thanks for the replies. I've been mostly eyeing my httpd_error log but will start monitoring the access log as well.

I've set up a CloudFront distribution and am in the process of putting all my static content (WordPress site) into an S3 bucket.

Then I should be able to configure AWS security tools to pretty much keep people away from directly contacting my server (if I understand the documentation I'm reading), so they're interfacing with the CDN instead. This ought to ease the load on my server as well, plus make the site a lot snappier for visitors.

But I will definitely read up more on how to harden Apache. I also need to keep tuning the server--I saw a "server reached MaxRequestWorkers setting" notice today in the log (although I carefully set this parameter according to guidance I found on some blogs and the Apache documentation).

Interestingly, things have been pretty smooth sailing but when I recently switched from prefork to event MPM (wanted to use http2 and make the server more efficient), that's when I've suddenly had some issues (the server has been online since February).

I'll keep checking in here and look forward to learning (and teaching others eventually!). Thanks for your interest and help.

By the way, I've set up several NGINX servers on Ubuntu just to get familiar with that technology, I must say they seem to outperform my Apache servers significantly. I need to educate myself fully on security and other configuration details, though, before putting one into production (although my personal server is currently running NGINX). I have a feeling I may go over completely to NGINX when I get comfortable.

Timeout issue, make sure your Timeout and ProxyTimeout values are the same, that error is common when they aren't. Timeout default is 60 seconds, ProxyTimeout often is 90 seconds but should match too. I'd check these first.